Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial of Service by exploiting the coldToFrozen.sh script in the splunk_archiver app to rename critical Splunk directories, making the instance non-functional.<br><br>The Denial of Service is possible because of missing input validation in the coldToFrozen.sh script, which accepts arbitrary file paths and renames them without restricting operations to safe directories.
AnalysisAI
Denial of Service in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged authenticated user to render the entire instance non-functional by exploiting missing input validation in the coldToFrozen.sh script bundled with the splunk_archiver app. The script accepts arbitrary file paths and renames them without restricting operations to safe directories, enabling renaming of critical Splunk system directories. No public exploit or CISA KEV listing has been identified at time of analysis, but the low privilege requirement (PR:L per CVSS) makes this actionable for any authenticated non-admin user in multi-tenant or enterprise deployments. A vendor patch is available via advisory SVD-2026-0504.
Technical ContextAI
The coldToFrozen.sh shell script is part of Splunk's splunk_archiver application, which manages the data lifecycle by transitioning index buckets from cold storage to frozen (archived or deleted) states. The vulnerability is rooted in CWE-20 (Improper Input Validation): the script accepts a user-supplied file path argument and performs a rename operation on it without enforcing any path restriction or allowlist to confine operations to legitimate data directories. This means an attacker can supply an absolute path targeting critical Splunk configuration or runtime directories outside the archiver's intended scope. Affected products are confirmed via CPE strings cpe:2.3:a:splunk:splunk_enterprise and cpe:2.3:a:splunk:splunk_cloud_platform across multiple version branches. The root cause is a missing directory traversal guard in a privileged shell script executed in the context of the Splunk process, rather than a memory corruption or injection issue.
RemediationAI
Upgrade Splunk Enterprise to the patched releases: 9.3.12, 9.4.11, 10.0.5, or 10.2.2 depending on the branch in use. Splunk Cloud Platform customers should ensure their instances are running 9.3.2411.129, 10.0.2503.13, 10.1.2507.21, 10.2.2510.11, 10.3.2512.9, or 10.4.2603.1 or later. Vendor patch is confirmed available via Splunk advisory SVD-2026-0504 at https://advisory.splunk.com/advisories/SVD-2026-0504. If immediate patching is not feasible, a compensating control is to revoke access to the splunk_archiver app for all non-administrative users - this restricts which users can invoke the coldToFrozen.sh script, though it may impact legitimate archiving workflows. Additionally, consider restricting Splunk role assignments so that only trusted users hold any Splunk account, reducing the population of potential attackers. Note that these workarounds do not eliminate the underlying vulnerability and patching remains the definitive fix.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a
Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and
Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31138
GHSA-2fmj-cw46-4vrm